Two security flaws has disclosed in Samsung’s Galaxy Store app for Android that are exploited by a local attacker to install arbitrary apps to fraudulent landing pages on the web.
The issues that tracked as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group which is notified to the South Korean chaebol in November and December 2022. Samsung has classified the bugs as moderate risk and release fixes in version 184.108.40.206 shipped this month.
Samsung Galaxy Store has previously known as Samsung Apps and Galaxy Apps which is a dedicated app store used for Android devices manufactured by Samsung. It launched in September 2009.
The first of the two vulnerabilities is CVE-2023-21433 that could enable an already installed rogue Android app on a Samsung device to install any application which was available on the Galaxy Store.
Samsung described as a case of improper access control that has been patched with proper permissions to prevent unauthorized access.
The shortcoming impacts Samsung devices that are running Android 12 and before and does not affect those which are on the latest version (Android 13).
The second vulnerability which is CVE-2023-21434 relates to an instance of improper input validation occurring when limiting the list of domains that could be launched as a WebView from within the app that effectively enabling a threat actor to bypass the filter and browse to a domain under their control.
Tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device that can bypass Samsung’s URL filter and launch a webview to an attacker controlled domain.
The update comes as Samsung rolled out security updates for the month of January 2023 to remediate several flaws that are some of which could be exploited to modify carrier network parameters which control BLE advertising without permission.